Banking Trojan "URLZone" Targets Japan

Another banking Trojan that is known to be active in Europe has been seen targeting Japan, FireEye reported on Tuesday.

Earlier this month, IBM researchers warned that cybercriminals had started using the Rovnix financial malware, which had been active in Europe, to target the customers of Japanese banks. Now, FireEye says URLZone, also known as Shiotob and Bebloh, has also started making rounds in Japan.

URLZone, which has been around since 2009, has been very active in Europe, particularly in Germany and Spain. However, in mid-December, FireEye spotted a new version of the malware being delivered to Japanese users via a spam campaign.

In July 2015, Arbor Networks reported that the authors of URLZone had made some changes to the Trojan’s command and control (C&C) communications. FireEye has now found a variant that leverages new persistence and evasion techniques.

The spam campaign used to deliver the malware in Japan involves emails with subject lines written in Japanese and English, and short sentences in Japanese for the body of the message.

The emails, most of which come from addresses on the softbank.jp and yahoo.co.jp domains, carry a ZIP archive designed to look like it contains image or document files. In reality, the archive contains a sample of the malware, which uses a technique known as process hollowing or process replacement to inject itself into the explorer.exe or iexplorer.exe processes in the initial infection stage.

Once it infects a machine, URLZone collects information on the system and sends it back to its C&C server. The threat attempts to reach its C&C at a domain that is hardcoded into the malware’s body, but if that fails, it makes use of a domain generation algorithm (DGA) to contact the server. When the C&C is reached, the Trojan downloads a configuration file containing the details of the targeted financial institutions.

The threat steals email addresses stored in the Windows Address Book. More sensitive information, such as web, email and FTP credentials, are stolen by injecting malicious code into processes associated with various applications, including Web browsers, FTP clients, and file explorers.

URLZone clears its registry configuration when the victim logs off, reboots or shuts down the computer in order to remain persistent and evade detection. The malware does this by using window procedures, functions that process messages sent or posted to a window. The malware uses a window procedure to monitor messages for WM_QUERYENDSESSION, a message sent when the user ends a session or a system shutdown function is initiated.

In order to prevent the Trojan from running in a virtual environment, which usually happens when security experts are conducting an analysis, URLZone authors designed the threat to terminate if certain strings that indicate the presence of a virtual machine are detected.

The first URLZone campaign was detected in Japan in December 16, but FireEye also spotted larger spam runs on January 19 and 20, which suggests the operation is ongoing.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.